Debian11.3 : SSH , Firewall

Contents

1. SSH Service Security Settings
- 1.1 Creating a General User
- 1.2 SSH service configuration file changes
2. Firewall Settings

1. SSH Service Security Settings

The SSH service allows the root user to log in by default, and since the root user already knows the user name and can log in to the server with administrative privileges once the password is known, we will deny this setting.

1.1 Creating a General User

If you have created a general user when installing Debian, this procedure is not necessary.
If the only user created on the server is root, remote login via SSH will not be possible, so if a user has not been created during OS installation, a user must be created in advance.

Users can be created with the "useradd" command. The "-m" option creates a home directory and the "-p" option specifies the password.
For example, to set "debianuser" as the user account name and "123456" as the password, execute the following

# useradd -m -p 123456 debianuser

1	# useradd -m -p 123456 debianuser

1.2 SSH service configuration file changes

Modify the configuration file to change the SSH service settings, which is located in "/etc/ssh/sshd_config".
This time, we will proceed by changing the default SSH port from 22 to 2244.

# vi /etc/ssh/sshd_config

1	# vi /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
Port 2244
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22

Port 2244

#AddressFamily any

ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin prohibit-password

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#Add ssh connection port 2244 on line 16
# port 22
Port 2244

#Uncomment line 17
#ListenAddress 0.0.0.0
ListenAddress 0.0.0.0

#Change the "PermitRootLogin prohibit-password" parameter, which is found near line 34.
The parameter "inhibit-password" implies that password authentication is disabled for root.
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓
PermitRootLogin prohibit-password

Restart SSH service

# systemctl restart sshd

1	# systemctl restart sshd

2. Firewall Settings

Since Debian often uses software called "ufw" to configure firewalls, we will configure firewall settings using ufw.
Since ufw is not installed when the OS is installed, the ufw package must be installed prior to configuration. The following is a procedure to configure minimal filter settings after installation.
Filter rules to be set in ufw
• All packets forwarded to the server are rejected
• All packets sent from the server to the outside are allowed
• The first port to allow is the port for SSH
• Limit packets coming into the server

2.1 Installing the ufw package

# apt install -y ufw

1	# apt install -y ufw

Confirmation after installation of ufw package

# dpkg -l | grep ufw
ii ufw 0.36-7.1 all program for managing a Netfilter firewall

1 2	# dpkg -l \| grep ufw ii ufw 0.36-7.1 all program for managing a Netfilter firewall

The installed "ufw package" is now displayed
Run the "systemctl status" command to check the status of ufw

# systemctl status ufw
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: e>
     Active: inactive (dead)
       Docs: man:ufw(8)

# systemctl status ufw

● ufw.service - Uncomplicated firewall

Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: e>

Active: inactive (dead)

Docs: man:ufw(8)

It can be confirmed that the ufw service is stopped by displaying "Active: inactive (dead)".

Enable ufw.

# systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw

# systemctl enable ufw

Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable ufw

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

# systemctl start ufw
# systemctl status ufw
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: e>
     Active: active (exited) since Mon 2022-10-10 09:14:56 JST; 7s ago
       Docs: man:ufw(8)
    Process: 1343 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=>
   Main PID: 1343 (code=exited, status=0/SUCCESS)
        CPU: 4ms

Oct 10 09:14:56 Lepard systemd[1]: Starting Uncomplicated firewall...
Oct 10 09:14:56 Lepard ufw-init[1347]: Firewall already started, use 'force-rel>
Oct 10 09:14:56 Lepard systemd[1]: Finished Uncomplicated firewall.

# ufw enable

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Firewall is active and enabled on system startup

# systemctl start ufw

# systemctl status ufw

● ufw.service - Uncomplicated firewall

Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: e>

Active: active (exited) since Mon 2022-10-10 09:14:56 JST; 7s ago

Docs: man:ufw(8)

Process: 1343 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=>

Main PID: 1343 (code=exited, status=0/SUCCESS)

CPU: 4ms

Oct 10 09:14:56 Lepard systemd[1]: Starting Uncomplicated firewall...

Oct 10 09:14:56 Lepard ufw-init[1347]: Firewall already started, use 'force-rel>

Oct 10 09:14:56 Lepard systemd[1]: Finished Uncomplicated firewall.

You can see that ufw is running(active (exited))

2.2 Basic firewall rule configuration

When ufw is enabled, default firewall rules are applied. If you enable it as is, you may lose communication with the server, so set up some basic rules before enabling ufw.

2.2.1 Incoming packets Default rule settings

First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.

# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

# ufw default deny incoming

Default incoming policy changed to 'deny'

(be sure to update your rules accordingly)

2.2.2 Outgoing packets Default rule settings

The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.

# ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

# ufw default allow outgoing

Default outgoing policy changed to 'allow'

(be sure to update your rules accordingly)

2.3 SSH Port Permissions

Enable automatic startup of ufw. but set SSH connection permissions first, as you may not be able to connect SSH remotely. The default SSH port is 22. Set permissions with the following command

# ufw allow ssh
# ufw reload

1 2	# ufw allow ssh # ufw reload

If you have set your own 2244 port (e.g.)

# ufw allow 2244/tcp
# ufw reload

1 2	# ufw allow 2244/tcp # ufw reload

2.4 Confirmation of ufw settings

Check the rules set in the firewall after enabling.

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
2244/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
2244/tcp (v6)              ALLOW IN    Anywhere (v6)

# ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip

To Action From

-- ------ ----

22/tcp ALLOW IN Anywhere

2244/tcp ALLOW IN Anywhere

22/tcp (v6) ALLOW IN Anywhere (v6)

2244/tcp (v6) ALLOW IN Anywhere (v6)

2.5 Permission to limit packets coming into the server

If you want to "allow communication coming to port number ◯◯" in ufw settings, use the following command
# ufw allow [port number]
On the other hand, if you want to "disallow communication coming to port number ◯◯", use the following command
# ufw deny [port number]

2.5.1 Do not allow connections from IP addresses that access continuously

Explained using the SSH port 2244 that was just configured as an example
They will try to gain access to port 2244 by typing in the appropriate password and attempting to match it by chance so that they can log in. This is also called a brute force attack.
As a countermeasure for this, set "Do not allow connections from IP addresses that access continuously".

# ufw limit 2244

1	# ufw limit 2244

This will set the "do not allow IP addresses with more than 6 connection attempts in a 30 second period" rule.
Check the settings. Display as follows.

# ufw status
Status: active
To Action From
-- ------ ----
2244 LIMIT Anywhere
2244(v6) 1 LIMIT Anywhere (v6)

# ufw status

Status: active

To Action From

-- ------ ----

2244 LIMIT Anywhere

2244(v6) 1 LIMIT Anywhere (v6)

2.5.2 Only allow ssh connections from specific networks

Even with the above settings, the ssh port is open to the external Internet, so even if you set a limit on the number of connections, the password could be guessed in some way and a connection could be made, or a vulnerability could be exploited to gain access.
Therefore, it is recommended that ssh connections be allowed only from internal networks and all external ssh connections be set to not be allowed.
As an example, there is a host in the local area network that is assigned the IP address "192.168.11.10". Allow ssh connections only from this host. Or, allow ssh connections only from this network (192.168.11.0/24).

Allow ssh connections from 192.168.11.0/24
# ufw allow from 192.168.11.0/24 to any port 2244

1 2	Allow ssh connections from 192.168.11.0/24 # ufw allow from 192.168.11.0/24 to any port 2244

Allow ssh connections from 192.168.11.10
# ufw allow from 192.168.11.10 to any port 2244

1 2	Allow ssh connections from 192.168.11.10 # ufw allow from 192.168.11.10 to any port 2244

If you check the settings, you will see that

Result of allowing ssh connections from 192.168.11.0/24
# ufw status
Status: active
To Action From
— —— —-
2244 LIMIT Anywhere
2244 ALLOW 192.168.11.0/24
2244 (v6) LIMIT Anywhere (v6)

Result of allowing ssh connections from 192.168.11.0/24

# ufw status

Status: active

To Action From

— —— —-

2244 LIMIT Anywhere

2244 ALLOW 192.168.11.0/24

2244 (v6) LIMIT Anywhere (v6)

Delete the rule with LIMIT. View the rule number and confirm the setting.

Result of allowing ssh connections from 192.168.11.0/24
# ufw status numbered
Status: active
To Action From
— —— —-
[ 1] 2244 LIMIT IN Anywhere
[ 2] 2244 ALLOW IN 192.168.11.0/24
[ 3] 2244 (v6) LIMIT IN Anywhere (v6)

Result of allowing ssh connections from 192.168.11.0/24

# ufw status numbered

Status: active

To Action From

— —— —-

[ 1] 2244 LIMIT IN Anywhere

[ 2] 2244 ALLOW IN 192.168.11.0/24

[ 3] 2244 (v6) LIMIT IN Anywhere (v6)

Delete rule 1 by specifying its number.

# ufw delete 1
Deleting:
limit 2244
Proceed with operation (y|n)? y
Rule deleted

# ufw delete 1

Deleting:

limit 2244

Proceed with operation (y|n)? y

Rule deleted

2.5.3 Permission for web services and other services

You can also specify a port number to allow connections, or specify an application.
You can see a list of applications with the following command.

# vi /etc/services

1	# vi /etc/services

For example, to enable http and https for web services

# ufw allow http
Rule added
Rule added (v6)
# ufw allow https
Rule added
Rule added (v6)
# ufw reload

# ufw allow http

Rule added

Rule added (v6)

# ufw allow https

Rule added

Rule added (v6)

# ufw reload

2.5.4 Disable ipv6 ufw

# vi /etc/default/ufw
IPV6=yes　→　IPV6=no

1 2	# vi /etc/default/ufw IPV6=yes　→　IPV6=no

Restart the firewall after all work

# systemctl restart ufw

1	# systemctl restart ufw

Go to top